When the EU’s General Data Protection Regulation came into force, everyone was wondering whether national regulators would have the guts to dish out substantial fines. This case shows the intention — at least in the United Kingdom — but it remains to be seen how much British Airways will actually have to pay.
The U.K. plans to fine British Airways 183.4 million pounds ($230 million) over computer attacks that exposed customer data, marking the first major application of far-reaching European Union rules requiring companies to tighten anti-hacking measures.
The proposed penalty relates to data theft affecting about 500,000 customers between June and September last year, the U.K. Information Commissioner’s office, which protects data privacy, said in a statement Monday. BA parent IAG SA said the fine amounts to 1.5% of the airline’s 2017 revenue.
The ICO said the hack involved BA’s website traffic being diverted to a fraudulent site through which customer details were harvested, adding that security was compromised by poor protection of functions related to log-in, payment card, and travel booking details, as well name and address information.
“We are surprised and disappointed in this initial finding from the ICO,” British Airways Chairman and Chief Executive Officer Alex Cruz said in the statement.
IAG shares fell 1.5% to 449.8 pence at 8:06 a.m. in London.
BA had initially said its systems were compromised from Aug. 21 through Sept. 5 and that about 380,000 transactions had been affected, with Cruz describing the attack as sophisticated, malicious and criminal. At the time, it advised people to contact credit card providers to manage the breach and said stolen data didn’t include travel or passport details.
Cruz said Monday the airline responded quickly and hasn’t found any evidence of fraud on accounts linked to the theft.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,“ IAG CEO Willie Walsh said in the statement.
The EU’s General Data Protection Regulation allows, which took effect on May 25, 2018, requires companies to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them.
Violations may lead to fines of as much as 4% of a company’s annual sales.
©2019 Bloomberg L.P.
This article was written by Christopher Jasper and Anthony Palazzo from Bloomberg and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to [email protected].
Photo credit: British Airways aircraft. The airline faces a substantial fine. Jason Alden / Boomberg